Get to Know Us

Horizon3.ai is a fast-growing, remote cybersecurity company dedicated to the mission of enabling organizations to proactively find, fix and verify exploitable attack vectors before criminals exploit them. Our flagship product, the NodeZeroTM platform, delivers production-safe autonomous pentests and other key assessment operations that scale across the largest internal, external, cloud, and hybrid cloud environments. NodeZero has been adopted by organizations of all sizes, from small educational institutions to government agencies and Global 100 enterprises. It is used by IT Ops/SecOps teams, consulting pentesters, and MSSPs and MSPs.

We are a fusion of former U.S. Special Operations cyber operators, startup engineers & operators, and formerly frustrated cybersecurity practitioners. We're committed to helping solve our common security problems: ineffective security tools and false positives, resulting in alert fatigue, blind spots, "checkbox” security culture, cybersecurity skills shortage, and the long lead time and expense of hiring outside consultants. Collectively, we are a team of learn-it-alls, committed to a culture of respect, collaboration, ownership, and results.

Summary

Are you passionate about the offensive side of cybersecurity? We are looking for a highly experienced Senior Internal Red Team Engineer with extensive, hands-on experience in cloud and web application penetration testing. Your primary mission will be to emulate advanced, real-world adversaries to test our defenses and bridge the gap between technical TTPs and our business's security posture.

You will have a significant impact on our company's security posture by identifying and exploiting complex vulnerabilities in our most critical systems before our adversaries can, helping to protect and preserve the value of our data and digital services.

Essential Functions

• Threat Modeling & Attack Planning: Conduct comprehensive threat modeling and risk assessments to identify high-value targets, analyze potential attack vectors, and prioritize red team objectives.

• Lead Red Team Operations: Design and execute end-to-end, objective-based red team operations targeting our production cloud and web environments, simulating real-world scenarios to test our defenses.

• Source Code Review: Perform deep, security-focused source code reviews (primarily in Python and JavaScript) to identify complex vulnerabilities like logic flaws, injection, and RCE.

• Cloud & Kubernetes Configuration Audits: Lead comprehensive security configuration audits of our AWS, Azure, GCP, Digital Ocean, and Kubernetes (K8s) environments, identifying exploitable misconfigurations, overly permissive IAM policies, and insecure network settings.

• CI/CD Pipeline Security: Assess and test the security of our CI/CD pipelines (e.g., Jenkins, GitLab CI, GitHub Actions, ArgoCD, Crossplane, etc…) to identify attack paths, secret management flaws, and vulnerabilities that could lead to supply chain attacks.

• Advanced Penetration Testing: Conduct in-depth penetration tests against critical web applications, APIs, and cloud-native services.

• Purple Teaming: Actively collaborate with engineering and defensive teams (Blue Team) in purple team exercises to validate findings and improve detection and response capabilities in real-time. Perform retesting for validation of mitigations or remediations.

• Tool & Methodology Development: Develop custom tooling, exploits, and automation scripts as required to bypass security controls. Develop and maintain red team methodologies, tools, and infrastructure.

• Threat Research: Stay abreast of the latest threat intelligence, vulnerabilities, and exploits; research and develop new exploitation techniques relevant to our technology stack.

• Reporting & Communication: Investigate, own, and report on vulnerabilities, exploit paths, and their business impact. Author clear, detailed reports and present findings to both technical and leadership audiences.

Competencies/Requirements

• 5+ years of hands-on experience in offensive security, with a demonstrable track record of leading complex web application and cloud penetration tests.

• Proven ability to read, review, and identify vulnerabilities in source code (especially Python and JavaScript).

• Deep, practical experience attacking and auditing cloud environments (eg: AWS, GCP, Azure) environments (e.g., S3, EC2, RDS, IAM, Lambda, Azure Blob Storage, Google Cloud Storage, etc...) and Kubernetes clusters.

• Must hold one or more advanced, industry-recognized offensive security certifications: OSCP, OSWE, OSCE, CRTO, or GIAC (GCPN, GXPN).

• Expert-level knowledge of modern web application security, including the OWASP Top 10, API security, and common framework vulnerabilities.

• Strong proficiency in common offensive security tools (e.g., Burp Suite, Nmap) and C2 frameworks (e.g., Cobalt Strike, Sliver, Brute Ratel).

• Strong written and verbal communication, including technical documentation and the ability to explain technology to non-technical audiences.

Desired/Nice to Have

• Experience in a blue team, incident response, or system administration role.

• Experience with other cloud providers (e.g., GCP, Azure).

• Experience with OSINT, phishing, and social engineering campaigns.

• Familiarity with WAF technologies (e.g., AWS WAF, Akamai).

• Relevant cloud or K8s certifications (e.g., AWS Certified Security - Specialty, Certified Kubernetes Administrator (CKA))

Expectations

• Outstanding problem-solving aptitude and an attacker's mindset.

• Be self-motivated, persistent, and highly energetic, with the ability to operate effectively with limited supervision.

• Ability to adapt to new technologies and challenges.

• Proficient in designing, presenting, and evaluating technical solutions and attack paths.

What makes you stand out

• A history of recognized security research, including documented CVE discoveries or published whitepapers.

• A track record of successful, high-impact contributions to bug bounty programs.

• Publicly released security tools or contributions to major open-source security projects.

• Experience presenting research at major security conferences (e.g., Black Hat, DEF CON).

Travel Required

We are a fully remote company, and this job may require up to 5% of travel to be successful.

Compensation and Values

At Horizon3, we believe that our people are our greatest asset, and our compensation philosophy reflects this core value. We are committed to fostering an environment where all employees feel valued, respected, and rewarded for their contributions. Our compensation structure is designed to be fair, competitive, and transparent, ensuring that every team member is recognized and compensated equitably across roles, levels, and locations.

In accordance with various State’s transparency regulations, we provide the following salary range information for this position:

• Base salary range: $195,000 - $242,000 annually. The exact salary will be determined based on the selected candidate’s location, qualifications, experience, and relevant skills.

• Additional compensation: All full-time roles are eligible for an equity package in the form of stock options.

Perks of Horizon3.ai

• Inclusive Team: We value diversity and promote an inclusive culture where everyone can thrive.

• Growth Opportunities: Be part of a dynamic and growing team with numerous career development opportunities.

• Innovative Culture: Work in a collaborative environment that encourages creativity and out-of-the-box thinking.

• Remote Work: We are a 100% remote company. Enjoy the flexibility to work in the way that supports you and brings out your best.

• Competitive Compensation: We offer competitive salary, equity and benefits. Our benefits include health, vision & dental insurance for you and your family, a flexible vacation policy, and generous parental leave.

You Belong Here

Horizon3 is not just an equal opportunity employer - we are a community that values diversity, equity, and inclusion as fundamental principles of our culture and success. We are dedicated to fostering a workplace where everyone feels welcome and respected, regardless of race, color, religion, sex, national origin, age, disability, veteran status, sexual orientation, gender identity or expression, genetic information, marital status, hair length or any other legally protected status by law.

Our commitment to diversity and inclusion means we strive to attract, develop, and retain a workforce that reflects the varied communities we serve. We believe that diverse perspectives drive innovation and strengthen our ability to create cutting-edge cybersecurity solutions. At Horizon3, every team member is valued and supported in an environment that encourages personal and professional growth.

We welcome candidates from all backgrounds and experiences, and we encourage all qualified individuals to apply. Come be a part of Horizon3, where your unique contributions are recognized, and your potential is limitless.

Other Duties

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. Duties, responsibilities, and activities may change at any time with or without notice.

Application Note

In any materials you submit, you may redact or remove age-identifying information such as age, date of birth, or dates of school attendance or graduation. You will not be penalized for redacting or removing this information